diff --git a/Infrastructure/OAuth/OAuthEndpoints.cs b/Infrastructure/OAuth/OAuthEndpoints.cs
index b8ce9f4..f3206a4 100644
--- a/Infrastructure/OAuth/OAuthEndpoints.cs
+++ b/Infrastructure/OAuth/OAuthEndpoints.cs
@@ -133,15 +133,13 @@ public static class OAuthEndpoints
 
             if (flowState.IsRegistration)
             {
-                // ── Registration flow: confidential client exchange (OIDC app + secret) ──
-                var oidcClientId     = config["Oidc:ClientId"]!;
-                var oidcClientSecret = config["Oidc:ClientSecret"]!;
+                // ── Registration flow: public client exchange (PKCE only, no secret) ──
+                var oidcClientId = config["Oidc:ClientId"]!;
 
                 var body = new Dictionary<string, string>
                 {
                     ["grant_type"]    = "authorization_code",
                     ["client_id"]     = oidcClientId,
-                    ["client_secret"] = oidcClientSecret,
                     ["code"]          = code,
                     ["redirect_uri"]  = o.RedirectUri,
                     ["code_verifier"] = flowState.CodeVerifier,
diff --git a/SharepointToolbox.Web.csproj b/SharepointToolbox.Web.csproj
index 74cffba..b19ffe3 100644
--- a/SharepointToolbox.Web.csproj
+++ b/SharepointToolbox.Web.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
@@ -6,6 +6,7 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <RootNamespace>SharepointToolbox.Web</RootNamespace>
     <NoWarn>$(NoWarn);NU1701;CS0618</NoWarn>
+    <UserSecretsId>ab5b666b-ca8d-4799-90ee-ec5e23658112</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>